01-24-2022 12:22 AM
Hi All,
We have several Windows 10 clients (3rd Party but using our infrastructure) that need to transit through our PA-3260 to their home network via MS always on vpn. Unfortunately this does not work, we have a very open "any-any" rule in place for these but still they wont connect.
Does anybody have any pointers on how to get this to work ?.
Regards
Scott
01-24-2022 01:26 AM
You to do more troubleshooting as it could be many things split tunneling making the destination sites/domains/applications not going through the VPN, having security zones for the VPN tunnel but using the normal zones not the VPN ones to allow the traffic etc.:
Create Interfaces and Zones for GlobalProtect (paloaltonetworks.com)
Split Tunnel Traffic on GlobalProtect Gateways (paloaltonetworks.com)
Optimized Split Tunneling for GlobalProtect (paloaltonetworks.com)
Also you may check that the globalprotect agent is ok by using the PanGPS, PanGPA logs and the globalprotect logs from the Palo Alto Firewall web gui (for RDP VDI traffic to enter the vpn tunnel an option should be enabled on the globalprotect portal config):
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRlCAK
GlobalProtect Logs (paloaltonetworks.com)
Also if nothing helps check for drops:
01-24-2022 11:50 PM
Hi - This has nothing to do with Global Protect, The Windows machines are using Microsoft's built "Always On" vpn transiting through the Palo out to the internet to Microsoft vpn server.
They are going from Trust To Untrust via an any any rule with no security profile, they can get to normal internet services but never connect to their vpn server, however if we bypass the Palo they connect fine.
01-25-2022 03:19 AM - edited 01-25-2022 06:07 AM
Now I see the full picture and maybe use the IPSEC app in your rule or make separate one as Palo Alto has articles for IPSEC passthrough traffic and by using the Palo alto IPSEC app the session will have specific settings.
Also check your NAT policy on the Palo Alto if it changes the traffic source, destination as this could affect the Tunnel and if you still have issues check with packet capture, global counters and policy trace(policy trace the security policy to confirm that you are hitting the correct rule or the NAT policy to see that you are not applying NAT) if palo alto is blocking the VPN traffic or dropping as if for example the the VPN headers may add some extra bits and fragmentation to be needed but the do not fragment bit to be set or other stuff like that.
If you need to NAT the traffic on the palo alto firewall you need to enable nat traversal on the enpoints and see:
LIVEcommunity - IPSEC Pass Through - LIVEcommunity - 48948 (paloaltonetworks.com)
Edit:
Also you did not mention if it is site to site ipsec or remote VPN connection where also SSL VPN could be used and then you need to check if the firewall allows the correct ssl traffic on the correct port and maybe without trying to NAT or decrypt it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
